Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber-Security: Some Thoughts

Published byTrevion Cleaves Modified over 9 years ago

Similar presentations

Presentation on theme: "Cyber-Security: Some Thoughts"— Presentation transcript:

1 Cyber-Security: Some Thoughts
V.S. Subrahmanian Center for Digital International Government Computer Science Dept. & UMIACS University of Maryland Parts of this talk reflect joint work with M. Albanese, S. Jajodia, C. Molinaro, A. Pugliese, N. Rullo, C. Thomas V.S. Subrahmanian, Geo-Intelligence India 2013

2 V.S. Subrahmanian, Geo-Intelligence India 2013
Disclaimers All work described in this talk only uses open-source data. All work in this talk is basic research tested wherever possible against real-world data. All work reported in this talk has been published in the scientific literature. V.S. Subrahmanian, Geo-Intelligence India 2013

3 V.S. Subrahmanian, Geo-Intelligence India 2013
Talk Outline Terminology Vulnerabilities Exploits Technology Monitoring networks for known attacks Monitoring networks for unknown attacks Social media (Sybil, sockpuppet) attacks V.S. Subrahmanian, Geo-Intelligence India 2013

4 V.S. Subrahmanian, Geo-Intelligence India 2013
Terminology Vulnerability: Feature of software that can be used by an attacker – usually in a way unanticipated by the software designer – to attack a system. US National Vulnerability Database (nvd.nist.gov) contains over 56K vulnerabilities together with suggested patches. Exploit – a piece of code that takes advantage of a vulnerability to carry out an attack. Databases of exploits also exist, e.g. some sites claim over 22K exploits in their database V.S. Subrahmanian, Geo-Intelligence India 2013

5 The Cyber Trade: The Scary Part
“Exploits as a service” is now cheap and efficient for attackers [criminals, nation states] Exploits (or parts thereof) for different kinds of attacks can be bought for a very small price compared to the prices for artifacts used in kinetic attacks V.S. Subrahmanian, Geo-Intelligence India 2013

6 Activity Detection Engine
OFFLINE ONLINE tMAGIC Activity Detection Engine Known Activities -Bad PASS Parallel Activity Search System Database Real-time Observation Data Network Resource use and more Unexplained Activity Detection Engine ALE Activity Learning Engine Parallel Unexplained Activity Detection Known Activities - Good Security Analyst Interface V.S. Subrahmanian, Geo-Intelligence India 2013

7 Attack Graphs Temporal Attack Graphs Attack Graphs
C’s are conditions V’s are vulnerabilities C4 and C5 are both needed to exploit vulnerability V4. Vulnerability V4 causes condition C6. Temporal Attack Graphs Only worry about vulnerabilities. Figure on left says vulnerability V4 can be exploited if V3 and either V1 or V2 can be exploited. Probabilistic versions exist. Databases of vulnerabilities and attack graphs are available V.S. Subrahmanian, Geo-Intelligence India 2013

8 Attack Graphs Can be Merged
Merging a large set of attack graphs means that you can solve a task once to search for multiple occurrences within a single stream of transactional data ! V.S. Subrahmanian, Geo-Intelligence India 2013

9 V.S. Subrahmanian, Geo-Intelligence India 2013
Attack Graphs Attack graphs can be built semi-automatically to monitor live network traffic. But two key problems need to be solved: How to monitor huge volumes of traffic ? How to identify unexpected activities that you did not know about in the past and add them to your activity knowledge base ? Activities are both bad (attacks) and good (innocuous). Need models of both good and bad activities in order to identify what is abnormal or unexplained. V.S. Subrahmanian, Geo-Intelligence India 2013

10 Finding Known Activities PASS Parallel Activity Search System
Developed algorithm to identify all instances of a [known] activity in an observation stream that have at least a certain probability. Demonstrated the ability to automatically detect activities in a stream of observation data arriving at 500K+ observations per second on a 8-node cloud. Demonstrated the ability to identify unexplained behavior in observation streams with precision over 80% and recall over 70%. V.S. Subrahmanian, Geo-Intelligence India 2013

11 Unexplained Activities
How can we look for activities that have never been anticipated? Answer Set up a framework to continuously track unexplained activities; Present unexplained activities quickly to a security analyst who Flags it as a bad activity or Flags it as an OK activity Update repertoire of known activity models with this security analyst feedback. What is an unexplained activity? It’s a sequence (not necessarily contiguous) of events that are inconsistent with all known activity models (good or bad) Unexplained does not necessarily mean bad. Also a lot of work on statistical anomaly detection [not in my lab]. V.S. Subrahmanian, Geo-Intelligence India 2013

12 Example Unexplained Activity
V.S. Subrahmanian, Geo-Intelligence India 2013

13 Unexplained Activity Detection
Totally unexplained Partially unexplained Tested using network traffic from a university. Wireshark used to capture network traffic; SNORT used for activity models. V.S. Subrahmanian, Geo-Intelligence India 2013

14 Unexplained Activity Detection
Looking for more top-K increases runtime Increasing t reduces run-time Increasing sequence length reduces runtime Looking at more worlds increases runtime Tested using network traffic from a university. Wireshark used to capture network traffic; SNORT used for activity models. V.S. Subrahmanian, Geo-Intelligence India 2013

15 An Election Social Media Attack
Protesters gather in a central square. Over 300 protesters arrested Protesters tweeted extensively with a small number of highly trending hashtags on Twitter. Social Media attack using over 25K Twitter accounts and over 400K tweets launched Protest is effectively shut down V.S. Subrahmanian, Geo-Intelligence India 2013

16 Election Social Media Attack
B Intelligence preparation of the battlefield Well done A Situation Awareness & Surveillance of the battlefield C+ Power projection Effective in influencing the discussion but poorly done D Did not get in and out effectively Used poor proxies to carry out the attack Assets not reusable V.S. Subrahmanian, Geo-Intelligence India 2013

17 V.S. Subrahmanian, Geo-Intelligence India 2013
Social Media Attacks A major state-backed threat. SMAs cause a viral increase in the number of social media posts in support of a particular cause or position. SMAs can destabilize decision making by a country by providing a false picture of support for or against a given position. V.S. Subrahmanian, Geo-Intelligence India 2013

18 V.S. Subrahmanian, Geo-Intelligence India 2013
Other Relevant Work Algorithms to identify common patterns in huge networks (1B+ edges) Ability to update identified patterns in huge networks as the network changes (540M+ edges) Algorithms to find a set of K nodes that optimizes an arbitrary objective function on a network (31M+ edges) Algorithms to identify important nodes in attributed, weighted networks Learning to cluster malware variants V.S. Subrahmanian, Geo-Intelligence India 2013

19 V.S. Subrahmanian, Geo-Intelligence India 2013
Current Directions Learning Activity Models – given that there is some set of low level events that can be detected, can we learn the stochastic temporal automata directly from the data in a semi-supervised manner? Parallel Unexplained Activity Detection – can we scale up our current algorithms to identify unexplained activities in high throughput streams? V.S. Subrahmanian, Geo-Intelligence India 2013

20 V.S. Subrahmanian, Geo-Intelligence India 2013
Contact Information V.S. Subrahmanian Dept. of Computer Science & UMIACS University of Maryland College Park, MD Tel: Web: V.S. Subrahmanian, Geo-Intelligence India 2013

Download ppt "Cyber-Security: Some Thoughts"

Similar presentations

EXPERT SYSTEMS apply rules to solve a problem. –The system uses IF statements and user answers to questions in order to reason just like a human does.

EXPERT SYSTEMS apply rules to solve a problem. –The system uses IF statements and user answers to questions in order to reason just like a human does.
Fifth Workshop on Link Analysis, Counterterrorism, and Security. or Antonio Badia David Skillicorn.

Fifth Workshop on Link Analysis, Counterterrorism, and Security. or Antonio Badia David Skillicorn.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Intelligent Detection of Malicious Script Code CS194, 2007-08 Benson Luk Eyal Reuveni Kamron Farrokh Advisor: Adnan Darwiche.

Intelligent Detection of Malicious Script Code CS194, Benson Luk Eyal Reuveni Kamron Farrokh Advisor: Adnan Darwiche.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
MS DB Proposal Scott Canaan B. Thomas Golisano College of Computing & Information Sciences.

MS DB Proposal Scott Canaan B. Thomas Golisano College of Computing & Information Sciences.
INFERRING NETWORKS OF DIFFUSION AND INFLUENCE Presented by Alicia Frame Paper by Manuel Gomez-Rodriguez, Jure Leskovec, and Andreas Kraus.

INFERRING NETWORKS OF DIFFUSION AND INFLUENCE Presented by Alicia Frame Paper by Manuel Gomez-Rodriguez, Jure Leskovec, and Andreas Kraus.
Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar 2005-02-0129 Aneela Laeeq 2005-02-0023.

Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar Aneela Laeeq
Computer Science Prof. Bill Pugh Dept. of Computer Science.

Computer Science Prof. Bill Pugh Dept. of Computer Science.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
1 Introduction Introduction to database systems Database Management Systems (DBMS) Type of Databases Database Design Database Design Considerations.

1 Introduction Introduction to database systems Database Management Systems (DBMS) Type of Databases Database Design Database Design Considerations.
Chapter 3 Applications Software: Getting the Work Done.

Chapter 3 Applications Software: Getting the Work Done.
Personalized Ontologies for Web Search and Caching Susan Gauch Information and Telecommunications Technology Center Electrical Engineering and Computer.

Personalized Ontologies for Web Search and Caching Susan Gauch Information and Telecommunications Technology Center Electrical Engineering and Computer.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.

Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.
Module 3: Business Information Systems Chapter 11: Knowledge Management.

Module 3: Business Information Systems Chapter 11: Knowledge Management.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.

Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.

Similar presentations

Ads by Google